--- - name: Set domain for slapd debconf: name=slapd question=slapd/domain vtype=string value="{{ ldap_server_domain }}" - name: Set organisation for slapd debconf: name=slapd question=slapd/organization vtype=string value="{{ ldap_server_organization }}" - name: Install slapd apt: name=slapd state=installed - name: Allow OpenLDAP user to traverse the directory with TLS private keys user: name=openldap append=yes groups=ssl-cert register: openldap_in_ssl_cert - name: Restart slapd if group membership has changed service: name=slapd state=restarted when: openldap_in_ssl_cert.changed - name: Install Python LDAP bindings apt: name=python-ldap state=installed - name: Set-up LDAP server to listen on legacy SSL port lineinfile: dest=/etc/default/slapd state=present backrefs=yes regexp='^SLAPD_SERVICES=.*' line='SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"' notify: - Restart slapd - name: Enable slapd service on boot (workaround for systemctl broken handling of SysV) command: rcconf -on slapd register: result changed_when: result.stderr == "" - name: Enable slapd service service: name=slapd state=started - name: Deploy system logger configuration file for slapd copy: src=slapd_rsyslog.conf dest=/etc/rsyslog.d/slapd.conf owner=root group=root mode=0644 notify: - Restart rsyslog - name: Deploy configuration file for log rotation of slapd logs copy: src=slapd_logrotate dest=/etc/logrotate.d/slapd owner=root group=root mode=0644 - name: Change log level for slapd ldap_entry: dn=cn=config state=replace olcLogLevel="{{ ldap_server_log_level }}" - name: Test if LDAP misc schema has been applied command: ldapsearch -Q -LLL -A -Y EXTERNAL -b cn=schema,cn=config -s one '(cn={*}misc)' cn register: ldap_misc_schema_present changed_when: false - name: Deploy LDAP misc schema command: ldapadd -Y EXTERNAL -f /etc/ldap/schema/misc.ldif when: ldap_misc_schema_present.stdout == "" - name: Deploy LDAP TLS private key copy: dest="/etc/ssl/private/{{ ansible_fqdn }}_ldap.key" content="{{ ldap_server_tls_key }}" mode=640 owner=root group=openldap notify: - Restart slapd - name: Deploy LDAP TLS certificate copy: dest="/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem" content="{{ ldap_server_tls_certificate }}" mode=644 owner=root group=root notify: - Restart slapd - name: Configure TLS for slapd (includes hardening) ldap_entry: dn=cn=config state=replace olcTLSCertificateFile="/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem" olcTLSCertificateKeyFile="/etc/ssl/private/{{ ansible_fqdn }}_ldap.key" olcTLSCipherSuite="NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL" notify: - Restart slapd - name: Configure SSF ldap_entry: dn=cn=config state=replace olcSecurity=ssf="{{ ldap_server_ssf }}" olcLocalSSF="{{ ldap_server_ssf }}" - name: Enable the memberof module ldap_entry: dn="cn=module{0},cn=config" state=append olcModuleLoad="{1}memberof" - name: Enable the memberof overlay for database ldap_entry: dn: "olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config" objectClass: - olcConfig - olcMemberOf - olcOverlayConfig olcOverlay: memberof olcMemberOfRefInt: "TRUE" olcMemberOfGroupOC: groupOfUniqueNames olcMemberOfMemberAD: uniqueMember - name: Apply database permissions ldap_permissions: filter: "(olcSuffix={{ ldap_server_int_basedn }})" rules: "{{ ldap_permissions }}" - name: Create basic LDAP directory structure ldap_entry: "" args: dn: "ou={{ item }},{{ ldap_server_int_basedn }}" objectClass: - organizationalUnit ou: "{{ item }}" with_items: - people - groups - services - name: Create the entry that will contain mail service information ldap_entry: "" args: dn: "ou=mail,ou=services,{{ ldap_server_int_basedn }}" objectClass: organizationalUnit ou: mail - name: Create LDAP directory structure for mail service ldap_entry: "" args: dn: "ou={{ item }},ou=mail,ou=services,{{ ldap_server_int_basedn }}" objectClass: organizationalUnit ou: "{{ item }}" with_items: - domains - aliases - name: Create or remove login entries for services ldap_entry: "" args: dn: "cn={{ item.name }},ou=services,{{ ldap_server_int_basedn }}" objectClass: - applicationProcess - simpleSecurityObject cn: "{{ item.name }}" userPassword: "{{ item.password }}" state: "{{ item.state | default('present') }}" with_items: "{{ ldap_server_consumers }}" - name: Create or remove user-supplied groups ldap_entry: "" args: dn: "cn={{ item.name }},ou=groups,{{ ldap_server_int_basedn }}" objectClass: groupOfUniqueNames cn: "{{ item.name }}" uniqueMember: "cn=NONE" state: "{{ item.state | default('append') }}" with_items: "{{ ldap_server_groups }}" - name: Create user-supplied LDAP entries ldap_entry: "" args: dn: "{{ item.dn }}" state: "{{ item.state | default(omit)}}" attributes: "{{ item.attributes }}" with_items: "{{ ldap_entries }}" - name: Deploy firewall configuration for LDAP copy: src="ferm_ldap.conf" dest="/etc/ferm/conf.d/10-ldap.conf" owner=root group=root mode=640 notify: - Restart ferm - name: Deploy temporary file with LDAP admin password template: src="ldap_admin_password.j2" dest="/root/.ldap_admin_password" owner=root group=root mode=400 changed_when: False - name: Test if LDAP admin password needs to be changed command: ldapwhoami -D "cn=admin,{{ ldap_server_int_basedn }}" -x -y /root/.ldap_admin_password register: ldap_admin_password_check changed_when: ldap_admin_password_check.rc != 0 failed_when: False - name: Update LDAP admin password command: ldappasswd -Y EXTERNAL -H ldapi:/// "cn=admin,{{ ldap_server_int_basedn }}" -T /root/.ldap_admin_password when: ldap_admin_password_check.rc != 0 - name: Remove temporary file with LDAP admin password file: path="/root/.ldap_admin_password" state=absent changed_when: False - name: Enable backup include: backup.yml when: enable_backup - name: Explicitly run all handlers include: ../handlers/main.yml when: "handlers | default(False) | bool() == True" tags: - handlers